[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Sun Jun 10 21:33:30 UTC 2012

On 2012-06-10 4:47 PM, sthaug at nethelp.no wrote:
>> to that end, vernon schryver and i have been exploring rate limiting in
>> BIND 9. there's a patch available, which i've so far offered only to
>> anyone whose server is currently getting abused. what i'm worried about
>> is that our profile for goodput-vs-badput is wrong headed or too course
>> grained. so far so good.
>>
>> config {
>>     // ...
>>         rate-limit {
>>                 responses-per-second 5;
>>                 window 5;
>>         };
>> };
> I'm afraid we may need more control. If my clients are generating a DDoS
> attack at 20 responses per second, and I limit this to 5 per second -
> the C&C can get the same effect by mobilizing four times as many clients
> to do the job.

no. the client ip is spoofed. the number of spoofers doesn't matter,
when the reflector is looking at both the apparent client ip and the
intended response. when most well-provisioned authority servers are
running with some kind of rate limiting, then the only way to do a
reflective amplifying ddos will be (a) do it through recursive not
authority servers, or (b) send a small number of queries to a large
number of authority servers, or (c) switch to some other wide area udp
such as ntp or snmp or syslog or whatever.

none of those things is low hanging fruit; they will require enough
work, even by script kiddies, that most attackers will switch back to
ddos-for-hire which will work through direct bombing by botnets. this is
because recursive servers can generally run closed (on-net or on-campus
only) and the smallish number of open ones can rate limit (as opendns
and googledns both do today); and because maintaining a catalogue of
server+qtuple inputs for spoofed-source attacks will be a lot more work
than "just use ripe.net or isc.org" as happens today; and because ntp
and snmp generally reflect just fine but don't amplify as well as dns.

> On my wishlist, in addition to rate limiting, is also:
>
> - Some way of dynamically blackholing clients, based on one or more of
> -- Rate limit exceeded
> -- Asking the *same* question (with a large response) repeatedly
> -- Asking a *specific* question (e.g. ANY isc.org|ripe.net)
> -- Input from an external system, e.g. via rndc

all but the last is already done. distributed blackholing of abusive
source addresses is dangerous, since in udp, the source addresses will
often be spoofed. this means blackholing is likely to cut off responses
to legitimate queries from the victims. (vernon and i spent a lot of
time working on that problem especially.)

paul